PDA

View Full Version : proxmox 2 iptables on the host is not filtering guest anymore?



RRJ
05-01-2012, 03:26 AM
Hey,

In 1.x i had an iptables rules on the host machine to filter incoming and outgoing connections to my containers and kvm guests via the FORWARD table. But after 2.x upgrade this scheme is not working anymore. even if i just write i add default action to DROP in the FORWARD table, it still allows the connections.

How can i filter all the connections from the host now? do i really have to set up iptables on every single guest os?

dietmar
05-01-2012, 10:17 AM
Maybe you need to change settings in /etc/sysctl.d/pve.conf

RRJ
05-01-2012, 01:22 PM
Thank You dietmar,
You've made my day :).
Why do you guys decided to turn it off by default?
What were default settings for those settings in 1.9? Just to be sure, everything is working as expected to.
and is there a manual so i could read about all changes in 2.0 ? :)

dietmar
05-01-2012, 04:00 PM
Why do you guys decided to turn it off by default?


It is considered a security risk.

apmuthu
05-01-2012, 05:11 PM
FWIW:

In ProxmoxVE v1.9 there is no /etc/sysctl.d/pve.conf file

There is only a /etc/sysctl.d/vzctl.conf file that has the following:


# On Hardware Node we generally need
# packet forwarding enabled and proxy arp disabled

net.ipv4.ip_forward = 1
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.proxy_arp = 0

# Enables source route verification
net.ipv4.conf.all.rp_filter = 1

# Enables the magic-sysrq key
kernel.sysrq = 1

# TCP Explict Congestion Notification
#net.ipv4.tcp_ecn = 0

# we do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

RRJ
05-01-2012, 09:33 PM
Could you tell me more about this risk? why and what kind of the risk?

RRJ
05-02-2012, 08:44 PM
up please